Little or No Jail Time Likely for Palin Hacker

It might seem obvious to most people that the hacker who gained unauthorized access to the private e-mail account of Republican vice-presidential candidate Sarah Palin violated the Stored Communications Act.

Under that law, a violation is committed by anyone who “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided;” or “(2) intentionally exceeds an authorization to access that facility; and thereby obtains…[an] electronic communication while it is in electronic storage in such system.”

But Kurt Opsahl, senior staff attorney at the Electronic Frontier Foundation, says not so fast.

Although the law seems clear on such a matter, the Department of Justice has taken a position on the law that could thwart its own prosecution of the hack under the SCA.

(Before anyone jumps to conclusions, the hacker could still be prosecuted under the Computer Fraud and Abuse Act. Keep reading to see discussion below about the CFAA.)

Electronic storage is defined in the Stored Communications Act as "any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof." E-mail that has arrived in a recipient’s inbox on his ISP’s server and that has not yet been opened would fall into this category.

The law also refers to electronic storage as "any storage of such communication by an electronic communication service for purposes of backup protection of such communication." E-mail that has been read, but not deleted would fit this description.

In a U.S. 9th Circuit precedent, the court regarded both read and unread e-mail, or received and unreceived e-mail, as being in "electronic storage" under the SCA (See Theofel v. Farey-Jones, 359 F.3d 1066, 1075 — 9th Cir. 2003).

"[W]hen the recipient accesses an email but does not delete it, it moves from storage incident to transmission to backup storage under the second part of the SCA’s ‘electronic storage’ definition," Opsahl writes in a post on the EFF’s blog.

But Opsahl says the DOJ has taken a different view of the SCA. He points to the DOJ’s Prosecuting Computer Crimes Manual, which says that read e-mail is no longer stored communication.

The manual says, "If the recipient chooses to retain a copy of the communication on the service provider’s system, the retained copy is no longer in ‘electronic storage’ because it is no longer in ‘temporary, intermediate storage … incidental to … electronic transmission,’ and neither is it a backup of such a communication."

According to Opsahl:

The DOJ’s interpretation of the SCA means that any emails that Gov. Palin had already opened (but left on the Yahoo! Mail servers) would not be protected under this email privacy law. This would mean no SCA privacy protection for the majority, if not the entirety, of the Gov. Palin’s email messages at issue. As the DOJ acknowledges, "[i]f Theofel’s broad interpretation of ‘electronic storage’ were correct, prosecutions under section 2701 would be substantially less difficult…" On the flip side, if the DOJ were right and Theofel were wrong, any hacker responsible for obtaining access to those emails – or any other individual’s opened messages – could not be prosecuted under the SCA.

"While the DOJ guidelines are not binding on the DOJ, they certainly have persuasive authority," he said. "In this case I think the DOJ would be bound by its own interpretation of the statute and probably could not prosecute [the hacker under that statute] simply because of its own interpretation of the statute."

As mentioned above, the hacker could still be prosecuted under the CFAA, though likely for a misdemeanor, not a felony, since there was no actual loss that resulted from the hack. More specifically, he’d be prosecuted under 18 U.S.C. 1030(a)(2)(C), accessing a protected computer without authorization to obtain information.

Rasch says if the hacker were charged with a misdemeanor, he would likely face a sentence of zero to six months, depending on his history, attitude and contrition. If the hacker were to come forward and apologize to Palin and tell the FBI exactly what he did, prosecutors might take this into consideration.

"If the government treats this for what it really is, which was a kid who was curious to see if he could do this . . . then the kid should be in reasonably good shape" and face "little, if any, jail time," Rasch said.

Although there is also a possibility the government could charge the hacker with a felony under the CFAA depending on the whim of the prosecutor and whether he argued that the invasion of Palin’s privacy was a tortious act. Rasch likened the situation to the government’s charges against Lori Drew in the MySpace suicide case.

"It would be a stretch to charge a felony [in the Palin case], but if they want to be hard on [the hacker], they could do that," Rasch said. "I wouldn’t have predicted that they would use that argument in the MySpace case, but they did. So they could certainly do that to [Palin’s hacker]."

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.